From owner-freebsd-security@freebsd.org Tue Jun 18 14:33:13 2019 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1D3CD15BEB7B for ; Tue, 18 Jun 2019 14:33:13 +0000 (UTC) (envelope-from mike@sentex.net) Received: from pyroxene.sentex.ca (unknown [IPv6:2607:f3e0:0:3::18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "pyroxene.sentex.ca", Issuer "Let's Encrypt Authority X3" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 72561800DB for ; Tue, 18 Jun 2019 14:33:02 +0000 (UTC) (envelope-from mike@sentex.net) Received: from [192.168.43.29] ([192.168.43.29]) by pyroxene.sentex.ca (8.15.2/8.15.2) with ESMTPS id x5IEWxIX059065 (version=TLSv1.2 cipher=AES128-SHA bits=128 verify=NO) for ; Tue, 18 Jun 2019 10:33:00 -0400 (EDT) (envelope-from mike@sentex.net) To: "freebsd-security@freebsd.org" From: mike tancsa Subject: TCP SACK (CVE-2019-5599) Message-ID: <29d6e221-e88a-f828-0e5b-ac235691ed86@sentex.net> Date: Tue, 18 Jun 2019 10:33:00 -0400 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.7.1 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Content-Language: en-US X-Rspamd-Queue-Id: 72561800DB X-Spamd-Bar: + Authentication-Results: mx1.freebsd.org; spf=pass (mx1.freebsd.org: domain of mike@sentex.net designates 2607:f3e0:0:3::18 as permitted sender) smtp.mailfrom=mike@sentex.net X-Spamd-Result: default: False [1.12 / 15.00]; ARC_NA(0.00)[]; RDNS_NONE(1.00)[]; RCVD_TLS_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f3e0::/32]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; DMARC_NA(0.00)[sentex.net]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-0.61)[-0.611,0]; IP_SCORE(-1.73)[ipnet: 2607:f3e0::/32(-4.95), asn: 11647(-3.59), country: CA(-0.09)]; MX_GOOD(-0.01)[smtp.sentex.ca]; NEURAL_HAM_SHORT(-0.83)[-0.830,0]; SUBJ_ALL_CAPS(1.80)[24]; TO_DN_EQ_ADDR_ALL(0.00)[]; NEURAL_HAM_MEDIUM(-0.70)[-0.699,0]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:11647, ipnet:2607:f3e0::/32, country:CA]; HFILTER_HOSTNAME_UNKNOWN(2.50)[]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Jun 2019 14:33:13 -0000 Hi all, With respect to the bugs describe in https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md * * SACK Slowness (FreeBSD 12 using the RACK TCP Stack) *Description:* It is possible to send a crafted sequence of SACKs which will fragment the RACK send map. An attacker may be able to further exploit the fragmented send map to cause an expensive linked-list walk for subsequent SACKs received for that same TCP connection. *Workaround #1:* Apply the patch split_limit.patch  and set the |net.inet.tcp.rack.split_limit| sysctl to a reasonable value to limit the size of the SACK table. *Workaround #2:* Temporarily disable the RACK TCP stack. (Note that either workaround should be sufficient on its own. It is not necessary to apply both workarounds.) ** *How does I know if this is enabled in my default kernel on RELENG_12 ? There is some vague mention in various forums this is not the default on FreeBSD ? Can anyone shed more light as to how this does/does not impact FreeBSD ? * * * *    ---Mike *